Elasticsearch with HTTPS disabled
- Query id: d6c2d06f-43c1-488a-9ba1-8d75b40fc62d
- Query name: Elasticsearch with HTTPS disabled
- Platform: Ansible
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
- name: Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters
community.aws.opensearch:
domain_name: "dev-cluster"
engine_version: Elasticsearch_1.1
cluster_config:
instance_type: "t2.small.search"
instance_count: 2
zone_awareness: false
dedicated_master: false
domain_endpoint_options:
enforce_https: false
ebs_options:
ebs_enabled: true
volume_type: "gp2"
volume_size: 10
access_policies: "{{ lookup('file', 'policy.json') | from_json }}"
Postitive test num. 2 - yaml file
- name: Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters
community.aws.opensearch:
domain_name: "dev-cluster"
engine_version: Elasticsearch_1.1
cluster_config:
instance_type: "t2.small.search"
instance_count: 2
zone_awareness: false
dedicated_master: false
domain_endpoint_options:
custom_endpoint_enabled: false
ebs_options:
ebs_enabled: true
volume_type: "gp2"
volume_size: 10
access_policies: "{{ lookup('file', 'policy.json') | from_json }}"
Postitive test num. 3 - yaml file
- name: Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters
community.aws.opensearch:
domain_name: "dev-cluster"
engine_version: Elasticsearch_1.1
cluster_config:
instance_type: "t2.small.search"
instance_count: 2
zone_awareness: false
dedicated_master: false
ebs_options:
ebs_enabled: true
volume_type: "gp2"
volume_size: 10
access_policies: "{{ lookup('file', 'policy.json') | from_json }}"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Create OpenSearch domain with dedicated masters
community.aws.opensearch:
domain_name: "my-domain"
engine_version: OpenSearch_1.1
cluster_config:
instance_type: "t2.small.search"
instance_count: 12
dedicated_master: true
zone_awareness: true
availability_zone_count: 2
dedicated_master_instance_type: "t2.small.search"
dedicated_master_instance_count: 3
warm_enabled: true
warm_type: "ultrawarm1.medium.search"
warm_count: 1
cold_storage_options:
enabled: false
domain_endpoint_options:
enforce_https: true
ebs_options:
ebs_enabled: true
volume_type: "io1"
volume_size: 10
iops: 1000
vpc_options:
subnets:
- "subnet-e537d64a"
- "subnet-e537d64b"
security_groups:
- "sg-dd2f13cb"
- "sg-dd2f13cc"
snapshot_options:
automated_snapshot_start_hour: 13
access_policies: "{{ lookup('file', 'policy.json') | from_json }}"
encryption_at_rest_options:
enabled: false
node_to_node_encryption_options:
enabled: false
tags:
Environment: Development
Application: Search
wait: true